CVE-2025-15118 – This vulnerability allows unauthorized modifica... (How to Fix)

Q: What is the severity of CVE-2025-15118?

CVE-2025-15118 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows unauthorized modification of member address data in macrozheng mall versions up to 1.0.3. Attackers can exploit improper authorization in the /member/address/update/ endpoint to alter user address information without proper permissions. This affects all deployments running vulnerable versions of the software.

📋 TL;DR

This vulnerability allows unauthorized modification of member address data in macrozheng mall versions up to 1.0.3. Attackers can exploit improper authorization in the /member/address/update/ endpoint to alter user address information without proper permissions. This affects all deployments running vulnerable versions of the software.

💻 Affected Systems

Products:

macrozheng mall

Versions: up to 1.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Member Endpoint component specifically at /member/address/update/

📦 What is this software?

Mall by Macrozheng

View all CVEs affecting Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify address information for any user, potentially enabling social engineering, account takeover, or delivery interception in e-commerce scenarios.

🟠

Likely Case

Unauthorized users modify address data for other members, causing data integrity issues and potential privacy violations.

🟢

If Mitigated

With proper authorization controls, only legitimate users can modify their own address data, preventing unauthorized changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed and remote exploitation is possible, though authentication may be required to reach the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to version 1.0.4 or later if available, or implement workarounds.

🔧 Temporary Workarounds

Implement Proper Authorization Checks

all

Add authorization verification to ensure users can only modify their own address data

Modify /member/address/update/ endpoint code to verify user ID matches address owner

Disable Vulnerable Endpoint

all

Temporarily disable the /member/address/update/ endpoint until proper fix is available

Comment out or remove endpoint mapping in Spring Boot configuration

🧯 If You Can't Patch

Implement network-level access controls to restrict access to the vulnerable endpoint
Deploy a web application firewall (WAF) with rules to detect and block unauthorized address update attempts

🔍 How to Verify

Check if Vulnerable:

Test if you can modify another user's address data by sending a PUT/POST request to /member/address/update/ with a different user ID

Check Version:

Check pom.xml or application.properties for version information

Verify Fix Applied:

Verify that authorization checks prevent modifying addresses belonging to other users

📡 Detection & Monitoring

Log Indicators:

Multiple address update requests from same IP for different user IDs
Failed authorization attempts on /member/address/update/ endpoint

Network Indicators:

Unusual patterns of PUT/POST requests to /member/address/update/
Requests with mismatched user IDs in address update operations

SIEM Query:

source="web_logs" AND uri="/member/address/update/" AND (user_id != address_owner_id OR authorization_failure=true)

📊 Metadata

CVE ID: CVE-2025-15118

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: December 28, 2025

Last Updated: January 7, 2026

🔗 References

https://github.com/Hwwg/cve/issues/31 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.338496 Permissions Required,VDB Entry
https://vuldb.com/?id.338496 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.711758 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15118, you might also want to check these: